From owner-freebsd-security@freebsd.org Mon Oct 16 23:19:41 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 74C3AE48234 for ; Mon, 16 Oct 2017 23:19:41 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5309271A6A for ; Mon, 16 Oct 2017 23:19:40 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id v9GN5PMP026332 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 16 Oct 2017 16:05:25 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id v9GN5Pj5026331; Mon, 16 Oct 2017 16:05:25 -0700 (PDT) (envelope-from jmg) Date: Mon, 16 Oct 2017 16:05:25 -0700 From: John-Mark Gurney To: "Ronald F. Guilmette" Cc: freebsd-security@freebsd.org Subject: Re: WPA2 bugz - One Man's Quick & Dirty Response Message-ID: <20171016230525.GA94181@funkthat.com> Mail-Followup-To: "Ronald F. Guilmette" , freebsd-security@freebsd.org References: <25911.1508192029@segfault.tristatelogic.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <25911.1508192029@segfault.tristatelogic.com> X-Operating-System: FreeBSD 11.0-RELEASE-p7 amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Mon, 16 Oct 2017 16:05:25 -0700 (PDT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Oct 2017 23:19:41 -0000 Ronald F. Guilmette wrote this message on Mon, Oct 16, 2017 at 15:13 -0700: > Just like everybody else on this list, I guess, I'm rather less than > happy about the WPA2 story that has emerged within the past 24 hours. > > Due to the announcement that WPA2 is, apparently, badly broken, I'm > trying now to figure out how to lock down my home network a little > better... as, I suspect, are many others all over the world... at > least until the equipment vendors get around to issuing firmware patches. > > Up untill last night, when I read the WPA2 news, I just blindly trusted > everything on my local network, with the result being that I've got > and /etc/exports file, and also its Samba equivalent, that are making > each of the several top-level directories that hold most of the stuff > on my central FreeBSD "file server" machine available, without restriction, > to the local subnet as follows: > > #/etc/exports > /home/mini-me -alldirs -network 192.168.1.0 -mask 255.255.255.0 > /one -alldirs -network 192.168.1.0 -mask 255.255.255.0 > /two -alldirs -network 192.168.1.0 -mask 255.255.255.0 > /three -alldirs -network 192.168.1.0 -mask 255.255.255.0 > > (There's basically equivalent stuff also in my Samba config files.) > > In light of the recent WPA2 disclosures, it has occured to me that > as of today it may be a Bad Idea for me to be exporting all of this > stuff, read/write, to all of 192.168.1.0/24. Doesn't matter, if your network is compromized, only strong encryption and authentication will save you.. For this you need NFSv4+kerberos, SMBv3 (which I have no clue how to ensure things are auth/enc'd) or WebDAV over https for file sharing. Restricting what hosts doesn't solve the problem. Also, w/ your config, you have to make sure your router does ingress filtering, as many times you can spoof packets between subnets too... > Of course, none of this is optimal... not like having real working > WiFi security would be. But in my specific case, if somebody manages > to get in and fiddle, in arbitrary ways, with the communications between > my WiFi devices... which mostly consist of just "home theater" type > stuff in the living room... then it will be no biggie, just as long as > whoever is doing it will, at worst, just have read-only access to my > content files. Best way to assume is that the network is always compromized, and that it's up to the nodes to protect the data... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."